& I've read through this article a couple of times, and am pretty sure it's relevant -- but not directly applicable -- to my setup.

Not doing so good on the 2nd part

... TO UNDERSTAND IT.

I've managed to completely confuse myself so far.

I have:
(1) a local LAN with one desktop & one mail-server, behind a firewall/router.
(2) a remote/hosted Server running a firewall & one web-server

My ascii-art depiction of the system is below.

I want to:
(a) Setup the Hosted Server as an OpenVPN server
(b) Ping from server <-> desktop/client over VPN
(b) access the web server @ a privateIP over an OpenVPN link from the Desktop, i.e., http://10.2.3.4
(c) 'connect/redirect' the HostedServer's port:25 over a 2nd OpenVPN link to the MailServer's port:25.
so mail sent TO 1.2.3.4:25 gets TO the MailServer on the LAN, &
mail sent FROM the MailServer on the LAN appears to originate from the HostedServer @ 1.2.3.4:25

Thank you for this illustration! It helps. I have one more request. Can you tell me how to configure this same illustrated setup with a slightly major alteration?

I wish to have the same ability to communicate from LAN to LAN to LAN in your single server and two client setup example here, however, I wish for all traffic from all LANs to be routed out only over the server gateway from a routed and not bridged network perspective. Also would like the DNS server used by the server gateway to serve all client stations in addition to the gateway. This will be for a dd-wrt setup if that is important to the solution.

DonJuane wrote:Thank you for this illustration! It helps. I have one more request. Can you tell me how to configure this same illustrated setup with a slightly major alteration?

I wish to have the same ability to communicate from LAN to LAN to LAN in your single server and two client setup example here, however, I wish for all traffic from all LANs to be routed out only over the server gateway from a routed and not bridged network perspective. Also would like the DNS server used by the server gateway to serve all client stations in addition to the gateway. This will be for a dd-wrt setup if that is important to the solution.

Thanks in advance.

you would first get the lan routing working with the above document. then you would start using redirect gateway def1 on the clients (and enable nat on the server for the vpn/lan subnets). then when your clients route over the vpn, you would setup your lans to route using those clients for their default gateway (which is already normal since you said it would run on the routers).
The above document is only for routing to the lans, but the rest is not too hard. I have been meaning to make a little writeup on routing internet over vpn, but i havnt gotten around to it

I found your article because I ran into the "bad source address from client" in my Windows OpenVPN server log. In fact, I read pretty much every web page Google could find. But still I can't find an answer to my question.

All discussion about this error seem to assume the client has some static LAN IP that can then be configured on the server with iroute, etc. But one of the biggest use cases is for mobile when connecting with public or not-fully-trusted WIFI hotspots. In this case the client LAN IP Addresses will be random and so all this discussion of setting up the client LAN's IP address as part of the server configuration goes out the window. E.g., 10.x.x.x in one location, 172.16.x.x in the next, etc.

I am sure I am missing something but I'll be a monkey's uncle if I can find it. Could you help?

Some more background, at this point I could care less about VPN access from anything other than the client itself. But in my OpenVPN Server log, I get the "bad source address from client [IP of a proxy server required by a connection from my client, or IP of my WIFI Hotspot gateway]".

I have tried various configurations but here is an example of one that has this problem:
server.ovpn:

Also to make sure it is very clear, in all cases I am trying to route all internet traffic from the client to the server. In some cases (at work) I will allow some private subnet range to be routed to the local lan and not to the VPN. In all cases my VPN server is running on Windows. The clients will be Windows, Linux, and Android.

Various websites and documentation talk about the use of iptables to route all internet traffic through the VPN server, but I am very confused as I have routed all internet traffic through the VPN server in the past without the use of iptables. The first time I did it was to my own Windows VPN server set up in TAP bridged mode. More recently, I have been using a OpenVPN service provider and my client is set up in TUN mode. No iptables usage on the client in either case and I'm able to route all internet traffic through the OpenVPN server just fine.

What could one do, if say, in your particular example "client1 with lan 10.10.1.0" has an IP in that LAN like 10.10.1.120 and that is allocated to a bridged interface, as this client1 is a hypervisor for 5 VMs that are also members of the 10.10.1.0 lan ?

I simply want to have masqueraded values travelling through eth0 to go out to the openvpn server. Is there a way to only have the openvpn client handle traffic on a single device? I am really confused about what I need to be doing. I have tried adding iroutes and using ccd, but I am thinking that since I don't intend to give networks on either side access to one another that the iroute/ccd solution isn't actually going to solve my particular problem.

On the openvpn server (as it is right now) I am seeing errors like:
MULTI: bad source address from client [192.168.42.11], packet dropped
which lead me to try out the iroute solution. Maybe I should just stop using masquerading? The clients connect and data is being sent all the way to the openvpn server, but DNS doesn't appear to be working. I cannot ping anything on the internet (eg google.com) from the LAN clients which is my only goal here.